Securing SSL access to your website
The below instructions will demonstrate how to prevent access to your site if it has come from an unsecured connection.
We’ve provided a few examples below of how to detect and deny access if the page has not been accessed via SSL.
On Linux
On our Linux shared hosting accounts, the environment variable SSL will be set when the connection is SSL-secured.
Via .htaccess
On our Linux shared hosting accounts, you can restrict a directory to SSL-only access by putting the following commands in a .htaccess file. This will apply to all files within the directory, and all subdirectories:
&Order deny,allow
Deny from all
Allow from env=SSL
Any attempt to access this directory using http will be denied, but using SSL will be enabled.
PHP
To restrict access to an individual script, simply add the following lines to the top of your PHP file:
You are not authorised to access this page.";
exit;
}
?>
On Windows
Any SSL connection to our windows shared hosting accounts will have the http header X-Forwarded-SSL set.
C#
You should make a class called SecurePage which inherits from your main page class (probably System.Web.UI.Page)
using System.Web;
public partial class SecurePage : System.Web.UI.Page
{
public SecurePage()
{
if (HttpContext.Current.Request.Headers["X-Forwarded-SSL"] == null)
{
HttpContext.Current.Response.StatusCode = 403;
HttpContext.Current.Response.StatusDescription = "Forbidden";
HttpContext.Current.Response.Output.WriteLine("<h2>You are not authorised to access this page.</h2>");
HttpContext.Current.Response.End();
}
}
}
Any attempt to access this page produces output: